A safe Harbor for Kubernetes

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content.

Executive Summary

Harbor is an incubating project in the Cloud Native Computing Foundation (CNCF). Harbor extends the open source Docker Distribution by adding the capabilities necessary for organizations such as: security, identity and management.

Harbor is a cloud native registry providing support for both container images and Helm charts. Granular access control grants or restricts user access to different repositories at the project level. A user can have different permission for images or Helm charts within a project.

Harbor service architecture for Kubernetes and Docker container management

Container images and Helm charts can be replicated (synchronized) between multiple registry instances based on policies. The policies can be filtered using tags and labels. If an error occurs during replication, harbor will automatically retry. To ensure your container images are free from known Common Vulnerabilities and Exposures (CVE’s), Harbor performs container image scans regularly and supports policy checks to prevent vulnerable images from being deployed.

Harbor leverages OpenID Connect (OIDC), a simple identity layer on top of the OAuth 2.0 protocol to verify the identity of users authenticated by an external authorization server or identity provider. Single sign-on can be can be supported for users logging into the Harbor portal. Harbor provides support for existing enterprise LDAP/AD for user authentication and management, and supports importing LDAP groups into Harbor granting permissions to specific projects.

To support container images signing Harbor integrates Notary for managing trusted collections of content. Publishers can digitally sign collections and consumers can verify integrity and origin of content.

Using the Harbor user portal, user can easily browse, search repositories and manage projects. All of the site operations to the repositories are audited and tracked through logs. Administrators can interact with the portal using REST API’s, the API definitions can be found in the Swagger Doc here.

Harbor containers can be can be easily deployed using into your Kubernetes cluster using Helm Charts or with Docker Compose.

Conclusion

Harbor is well along the maturity curve in becoming a graduated CNCF project, the recent Oct 2019 pentest concluded that the number of findings were very low, the overall results and general impression of the codebase were positive.

The capabilities gained by using an Open Source solution such as Harbor for: container security scanning, role base management, monitoring, auditing and logging can be a big win for your organization. Earlier adopters will be better positioned as inevitable product hardening and maturity is realized.

Mitch is a Thought Leader and an Architect at Steampunk where he contributes to delivering human-centered, secure digital, platforms.
His work related interests span the gamut of: application integration, scalable secure clusters, embedded systems, and user interfaces. After hours you might find him dabbling in the hobby space with Raspberry Pi's, drones, photography, home wine making and other ferments.

Published by Mitch Dresdner

Mitch is a Thought Leader and an Architect at Steampunk where he contributes to delivering human-centered, secure digital, platforms.
His work related interests span the gamut of: application integration, scalable secure clusters, embedded systems, and user interfaces. After hours you might find him dabbling in the hobby space with Raspberry Pi's, drones, photography, home wine making and other ferments.
View more posts